The proposed kill switch is actually a command that is sent back to an attacking server to stop the attack in its tracks. The victim of this attack can reportedly stop this attack by sending a "flush_all" command back to the attacking servers. The measure was first proposed by Dormando, one of the Memcached server developers.

Coreo said that the flush_all kill switch "has not been observed to cause any collateral damage." It effectively invalidates a vulnerable server’s cache, which means that any potentially malicious payload will become useless. The firm said that by clearing cache of the attacking servers of any malicious payload, they are no longer able to cause the amplification effect of the DDoS attack.

The number of Memcached servers starts to go down

Memcached that stores data in RAM to speed up access times was not designed to be accessible online. Left in their default configuration, these servers expose port 11211 that is then used by attackers to reflect and amplify DDoS attacks. Attackers can amplify DDoS attacks by up to 50,000 times to create an unprecedented flood of traffic by generating spoof requests. With over 95,000 servers allowing connections on 11211, the potential for abuse and the possibility of more such attacks is significant.

While the above technique would help companies who cannot afford mitigation services to deal with these devastating DDoS attacks, the industry is also working to reduce the number of Memcached servers left accessible online - the primary reason behind these attacks.

"Although there were 107,431 Memcached servers in Shodan this morning. The population Memcached is slowly but steadily shrinking," security researcher Victor Gevers tweeted. "Servers which where vulnerable this morning are now closed 8 hours later. We still have a long way to go but progress is being made."

Corero on its part said that the company has disclosed the "kill switch" to national security agencies. The firm also suggests that the attack is worse than originally believed as it can also be exploited to steal or modify data from vulnerable Memcached servers. The firm claims that vulnerable Memcached servers can be forced into divulging data cached from the local network or host, including database records, website customer information, emails, API data, and more.

“The ‘flush­_all' command has always been available in memcached,” Corero CEO Ashley Stephenson said. "What Corero discovered was the possibility of using to defeat this DDoS exploit."

This isn't, however, a solution to the DDoS amplification or data exfiltration threat as the only way to get out of this mess is to secure the Memcached servers. "However, with over 95,000 of these servers currently exposed on the Internet," the company said it's expecting to see these "amplification attacks for many months to come."

Follow US

Subscribe

Some posts on Wccftech.com may contain affiliate links. We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com